Add Redis Sentinel Authentication Support

[jsievenpiper]

👋🏾 Hey there!

I was looking to configure my gitea cache to use my existing redis sentinel setup, but found that I wasn't able to supply any authentication parameters to it. So this PR brings support to do that, along with some light extraction of a couple of bits into some separate functions for easier testing (and of course, some tests as well).

I looked at other libraries supporting similar RedisUri-style connection strings (e.g. Lettuce), but it looks like this type of configuration is beyond what would typically be done in a connection string. Since gitea doesn't have configuration options for manually specifying all this redis connection detail, I went ahead and just chose straightforward names for these new parameters.

I think there are two main concerns with this approach:

• the implementation details are a bit confusing -- to be fair, it can be confusing in general to consider the ACL requirements in a sentinel setup just in general, but having two sets of credentials in a single connection string is definitely more complicated.
• putting credentials outside the standard URI location exposes them to being leaked more easily... granted, I think this is not hugely concerning since a practical installation would have this coming from some sort of secrets management system -- more ideally these configuration options would be directly exposed in gitea's configuration, but it looks like the spirit of the config file was to be really abstract for this section, so not sure there's much to be done there without refactoring and making a breaking change in the config file schema.

Looking forward to your feedback!

[codecov-commenter]

Codecov Report

Merging #19213 (b475df1) into main (49c5fc5) will decrease coverage by 0.03%.
The diff coverage is 35.39%.

@@            Coverage Diff             @@
##             main   #19213      +/-   ##
==========================================
- Coverage   46.55%   46.52%   -0.04%     
==========================================
  Files         856      857       +1     
  Lines      123018   123235     +217     
==========================================
+ Hits        57277    57341      +64     
- Misses      58814    58951     +137     
- Partials     6927     6943      +16     

Impacted Files	Coverage Δ
cmd/admin.go	0.00% <0.00%> (ø)
cmd/hook.go	7.11% <0.00%> (ø)
cmd/serv.go	2.39% <0.00%> (ø)
models/asymkey/ssh_key_deploy.go	55.55% <ø> (+1.13%)	⬆️
models/helper_environment.go	100.00% <ø> (ø)
modules/context/permission.go	25.39% <0.00%> (ø)
modules/doctor/checkOldArchives.go	22.85% <0.00%> (ø)
modules/doctor/fix16961.go	35.06% <0.00%> (ø)
modules/doctor/mergebase.go	10.25% <0.00%> (ø)
modules/doctor/misc.go	21.55% <0.00%> (ø)
... and 179 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d2c1658...b475df1. Read the comment docs.

[jsievenpiper]

@zeripath thanks for the quick review! Updated the code style 👍🏾

[zeripath]

Hmm...

Do you know if the "FailoverClient" uses the username/password options that we already provide? If not could we just copy them over to the sentinelusername/password instead of creating more options?

If not I guess we have to add this.

[jsievenpiper]

I did some of the sentinel implementation in go-redis so I can answer this!

It doesn't -- sentinels are a separate server than the main redis instances, and can (and often are) authenticated separately, especially in a Redis 6-7 world where ACL auth allows you to restrict scope on a user-level basis. i.e. I only get support for looking for the main redis instance via my sentinel credentials, but I can then use much more powerful read/write credentials against the main redis instance. That's why UniversalOptions and FailoverOptions have separate fields for each.

[zeripath]

It doesn't -- sentinels are a separate server than the main redis instances, and can (and often are) authenticated separately, especially in a Redis 6-7 world where ACL auth allows you to restrict scope on a user-level basis. i.e. I only get support for looking for the main redis instance via my sentinel credentials, but I can then use much more powerful read/write credentials against the main redis instance. That's why UniversalOptions and FailoverOptions have separate fields for each.

So what I'm asking is if the opts.Failover() don't pass the opts.Username/opts.Password or use them ... Then instead of creating new query options in the connection string we can just reuse the current username and password parts of the uri and on use of sentinel we just copy the username password to the appropriate parts of the options.

If not fine, it's fine to create a new set of query options.

[jsievenpiper]

So what I'm asking is if the opts.Failover() don't pass the opts.Username/opts.Password or use them ... Then instead of creating new query options in the connection string we can just reuse the current username and password parts of the uri and on use of sentinel we just copy the username password to the appropriate parts of the options.

I believe I understand you, but my response should still be valid -- you need both sets of credentials for sentinel. The FailoverClient uses a set of credentials for authentication against the sentinel (what this PR adds) and a separate set of credentials once the sentinels have designated a redis master instance, in which the client will then connect with the other (existing) set of credentials.

So FailoverOptions provides both sets of credentials because it's a two-phase process with two different authentication credential pairs.

[6543]

#19213 (comment)

else ack

[jsievenpiper]

@6543

else ack

Roger that, new log line tossed in -- whipped up some tests there as well

[6543]

please no force push - I have to review all again

[6543]

we squash-merge so you can just merge master into your branch to resolve conflicts

[6543]

nice work - and thanks for the tests - appreciate them :)

[wxiaoguang]

Very good refactoring 👍

[jsievenpiper]

Thanks everyone! Appreciate the active community here 👍🏾